July 23, 2007 - Volume 2, #107

Good Morning:
I've got mixed feelings about religion. Yes, I'm a believer - but I neither expect nor care whether anyone else is. Unfortunately not everyone shares my laissez-faire attitude. The sad truth is that religion is behind almost every major war and lots of other catastrophes. It is something to behold (and not for good reasons) that a belief system would get folks to go to war with others that don't believe. But what do I know, I'm just a hack with a keyboard?

I bring this up because I need to confess. Not being a Catholic, what I know about the ritual of confession is largely from movies, TV, and a scant few conversations with friends. The dark room, the baring your soul to an unseen minion. It all seems pretty cloak and dagger to me. But the idea of acknowledging your sins and asking for forgiveness is very powerful. And I need to own up to the fact that I've taken this "vacation" thing a bit too far. I let go on the healthy eating and exercise plan for the past two weeks and I've been less productive than I need to.

It was great to be away for a week and then with my road trip last week, I was out of sync. I like to think I strive in an unstructured environment, but maybe not so much. Today is a new day, and after getting on the scale this AM - the damage was pretty contained. My work deliverables aren't exactly "late," but I'll crank those out over the next day or two. But I need to get back on the wagon. I'll get back into my routine, just in time to head out to Black Hat next week and have things thrown into a tizzy by travel and all sorts of other hijinx.

So what does this have to do with anything? Sometimes you get out of sync. Sometimes your routines are thrown to the wind. Fix it and move on. There's no use in beating yourself up about it. What's done is done, as long as your transgressions don't have jail time involved and you make proper amends, then it's all good. That's my plan. On that note, I have a routine to get back into.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Purity of security research - give me a break?
So what? - Evidently bug and exploit hunters aren't supposed to be members of the global economy. That's the only explanation I can come up with to justify the idea that these folks should not be accorded a market price for what they do. This AP story on security researchers makes some points that I just can't get on board with. Since when do you pay your mortgage with "appreciation." That and $4 will get you a cup of coffee. Security research is a business like anything else. Some companies will pay for bugs to get a perceived jump on the competition. From where I sit, there is nothing wrong with that. It's not clear if end customers will receive any value. If so, then a market will emerge. If not, then it won't. But these folks certainly have a right to try. And I'm not sure what school of economics Schneier graduated from, but his quote in this story is dumb. Good and bad guys driving the price up? Actually competition drives prices down.
Link to this

Testing your NAC
So what? - Good article here in Network Computing about Fratto's experience setting up a NAC test bed. I think testing in a pseudo-production environment is a critical part of the procurement process. But getting the test bed right is pretty hard and getting it to even roughly approximate a real-world scenario is tough. That being said, it's important because you never know how something is going to perform until you try it. I know this is a shocker, but sometimes vendor sales folks stretch the capabilities of their product. Maybe it's in the "next" release or whatever - but since your credibility is on the line if you give the green light to a product, you need to make sure it does what it's supposed to.
Link to this

Deal: HP buys Opsware - Security a data center ops feature
So what? - The deal of the day involves HP buying data center management software provider Opsware for $1.6B in cash. Nice outcome and clearly shows that HP is being very aggressive on the software side of the house. Now Opsware wasn't really a "security" player, but they do large scale configuration and operations management. Security is one of those functions and when dealing with an increasingly virtualized data center - the ability to abstract security is really table stakes. This is another data point towards security being a feature of larger IT operations. I also think this has a negative effect on the exit strategies of the other configuration management players (Big Fix, ConfigureSoft, etc.) in that HP was a logical acquirer for specialized technology in this space. But like we saw when Cisco bought Airespace and they said security was built in - that took Cisco out of the market for a stand-alone wireless IPS company. And two years later, the wireless IPS players are still standing alone. Same thing is likely to happen to the configuration management players.
Link to this

The Laundry List

Top Blog Postings

Know your network or know your resume
My ATL buddy, AndyITGuy (and his last name is not ITGuy) has a great post about the importance of knowing what's going on with your network. Remember, the hallmark of the Pragmatic CSO's operational approach is to REACT FASTER, and unless you know what is going on with your network - there is no way you can get there. Andy focuses on documentation as the first order of business, and I agree with that, but to me - that's table stakes. Folks that don't like to document things probably suffer from a self-esteem problem. If all of the information is in their head, then they are indispensable, right? Wrong. And anyway, I was never smart enough to keep all those details straight, so write them down and train your team to take your position. That's leadership. Once you have documentation, then you need to take a baseline, make sure the baseline is clean and then monitor against that baseline. Not too hard, right? Right!.
http://andyitguy.blogspot.com/2007/07/out-of-control-network.html
Link to this

Should you care about Snort licensing?
Sourcefire Marty has been taking a lot of heat for the changes that they made to the Snort 3.0 license. Should you care? I know Shimel (he weighed in on the Snort discussion here and here) is going to jump all over me, but if you are an end-user - the answer is a resounding no. In fact, I think all of these gyrations about open source vs. closed source vs. free as in beer are a waste of time. To me it's pretty simple, you either are paying for something or you aren't. If you aren't then you can't expect support and you can't make money off of it if you are a vendor. Parasite vendors that don't license the right to use the open source technology in their stuff are scumbags and they should be outed as cheats and scoundrels. Any other licensing discussions equate to the Full Employment Act for Lawyers of 2003. That's why most lawyers are a pain in the ass. They split hairs and focus on words instead of getting things done.  There are exceptions to the rule, but I have a low opinion of most lawyers, if you couldn't tell. And furthermore, Snort is Sourcefire's code, they can and should do whatever they want with it. You don't like it? Go buy/use something else.
http://securitysauce.blogspot.com/2007/07/what-up-with-snort-licensing.html
Link to this

I'll take shelter for $300, Alex
Ravi Char breaks out Maslow to discuss the security business in this post. Actually, the similarities start and end at the fact that both use a 5-step pyramid to make their points. But Ravi's is well-taken, there are all flavors and types of organizations out there and many have differing views of what security means to them. Also of note is that there is no free lunch and if you want to go from one level to the next - there is a cost. It's probably money, but it's also time and training resources. The cost increases exponentially as you go higher in the pyramid, which I'm not sure I buy. But that's neither here nor there, the reality is there is a right place on the pyramid for every organization and you need to figure out where that right place is.    
http://ravichar.blogharbor.com/blog/_archives/2007/7/8/3079153.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite